Guest
General Data Processor Agreement
One of our customers which we deliver services to want us to sign their Data Processor Agreement. However the scope of this agreement list a lot more personal data types than we process. The scope seems to be general (exhaustive list) so they can use the same scope for all suppliers instead of describing the scope of the explicit Data Processing we will do. Is this acceptable according to EU GDPR?
Assign topic to the user
Expert
Andrei Hanganu
Apr 21, 2018
The Data Processing Agreement should be in accordance with the requirements of EU GDPR art. 28(3) “Processor” https://advisera.com/eugdpracademy/gdpr/processor/ states among others that the Data Processing Agreement must contain a description of:
- scope, nature and purpose of processing;
- duration of the processing; and
- types of personal data and categories of data subjects.
So, as you can see it must refer to the data which is actually processed.
To find out about the duties of the processors you can check out our article “EU GDPR controller vs. processor – What are the differences?” https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
- scope, nature and purpose of processing;
- duration of the processing; and
- types of personal data and categories of data subjects.
So, as you can see it must refer to the data which is actually processed.
To find out about the duties of the processors you can check out our article “EU GDPR controller vs. processor – What are the differences?” https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
Comment as guest or Sign in
Apr 19, 2018
Apr 21, 2018
Apr 21, 2018